Re: [TLS] ECH/ESNI - is accept confirmation calculation brittle in the face of errors?
David Benjamin <davidben@chromium.org> Fri, 19 March 2021 21:59 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4993A11C1 for <tls@ietfa.amsl.com>; Fri, 19 Mar 2021 14:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.495
X-Spam-Level:
X-Spam-Status: No, score=-9.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwQ7B7okFoTA for <tls@ietfa.amsl.com>; Fri, 19 Mar 2021 14:59:13 -0700 (PDT)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E7A3A11BE for <tls@ietf.org>; Fri, 19 Mar 2021 14:59:13 -0700 (PDT)
Received: by mail-pg1-x531.google.com with SMTP id v2so4587268pgk.11 for <tls@ietf.org>; Fri, 19 Mar 2021 14:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F/PjXwQ2KZhibdjvEuGKEDlq9GIQa/vtufThrruDlTk=; b=ipFJd+t+XLuGlGxPQazoIDnC2ZSYScGGLjNfRXB8EqgFBYMO1vyBiaCbKljC9TDyGu l78z+IWeRP9ywRhNgHXKYqpuAJ9EuY8lzmfq7jE2+RWBshstFVusudMM15ollbPSbqIN /rVKSKAIr9EFQzlTlvYcjvW4/eHTmMbuZlwJA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F/PjXwQ2KZhibdjvEuGKEDlq9GIQa/vtufThrruDlTk=; b=FkIGirzQbOSKNMq2C7FTRTLVvmnALcynrrZoDcmYz+D2WkXC6dMEKVWH+3z8040aWf CbYqTmgMZkBfr1c2pz89/eDr/FRAI1afTWItdRGhLtL+PSMRGfROqfWFAWUeexSe+1gw 0UwI77a1pRfQ0Q2dLG5NFSaZHEyM0RqrY9Zd6kuolbpIKEKPdCzH5J+sYw1LbWJ2tHuZ eSbrH0Rw8/6ypFIEQm77csifPS1JJ4n2BYxOonYrtD/pja7XTGbWTcws+LLekQ9sxZl/ gwmoie1rvduVICI03VqY9m7RJVSXRGUGF9R2DgzJHfIG2YSbDyA17AJb8xEHE2VVoF8Z 2+1A==
X-Gm-Message-State: AOAM530YU0TUm0owh9ndn5tEhuk903M0FF72Vd+Wn0c7HNBzYwvfJz/w xIgbg8TlIp2CdFFcxoXw/5HXtoIFlLKIrc3mJ7E+
X-Google-Smtp-Source: ABdhPJzcwSLc0jxnu99PLi+BCtYu2g0uJBRJWlw8fBrh7S5hCe2m8hzJO206CSrkieyLuWZH4gFKyhO82dl3j5KB23c=
X-Received: by 2002:a65:62d9:: with SMTP id m25mr5309772pgv.6.1616191151938; Fri, 19 Mar 2021 14:59:11 -0700 (PDT)
MIME-Version: 1.0
References: <6f6918e1-5aae-1d3c-7fd5-2a17cda2e1bd@cs.tcd.ie> <CAF8qwaACwudz3=LYBxGEuwdx-nJaHc9gQELJEK18TF1YQyU+EQ@mail.gmail.com> <CAG2Zi21Ab+899e-URDe3ePDsUCaRVbXb+090=PkdR4dz0ZfToA@mail.gmail.com> <734bb026-d438-9a96-4008-da6c681c439c@huitema.net> <17ac7ac3-a8ff-bb9e-4746-01caec8e49f1@cs.tcd.ie> <5afbdacb-e137-d036-bbdf-cfa021498861@huitema.net> <CAF8qwaAwHaWAvBFzaZ-sTx6LqP-mRbvw6nP=gjb1wGWk1Sy_ug@mail.gmail.com> <19e3cdaf-451c-e03a-6d4e-a8dd46d4e8b5@cs.tcd.ie>
In-Reply-To: <19e3cdaf-451c-e03a-6d4e-a8dd46d4e8b5@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 19 Mar 2021 17:58:55 -0400
Message-ID: <CAF8qwaAcv=KbNJ-W6QY_w756HApE7ehjc1bFx21gMNrchqkZBg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christian Huitema <huitema@huitema.net>, Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080721e05bdead3c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Yey0yVDBOUQzrL1Q29W9XuUCyQw>
Subject: Re: [TLS] ECH/ESNI - is accept confirmation calculation brittle in the face of errors?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 21:59:15 -0000
On Thu, Mar 18, 2021 at 4:07 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 18/03/2021 19:17, David Benjamin wrote: > > I don't think I'd agree that *most* of the work is in the secret > > computation per se. Actually doing trial decryption with > > the secret requires reaching down into the record layer. > > This is especially onerous for QUIC, where the record layer > > is offloaded to another protocol (often outside the TLS > > library). > > Ah, fair point - I've not looked at QUIC at all. But how > are encrypted extensions and tickets handled in such cases? > If those are handled in the original library then a trial > decryption should be possible too maybe? > QUIC replaces the record layer and keeps the TLS handshake. So as the TLS handshake progresses, it hands keys (handshake traffic keys, etc.), to QUIC to install. When TLS needs to write an EncryptedExtensions or so, it hands QUIC cleartext to encrypt. When QUIC decrypts a record and sees a CRYPTO frame, it hands the results to TLS to process as handshake messages. The draft is here: https://datatracker.ietf.org/doc/draft-ietf-quic-tls/ In all the stacks I'm aware of, there are QUIC-specific APIs to install a custom record layer of sorts. And thus the nuisance with trial decryption and friends. Every new feature we push down to the record layer changes that record layer interface. This means more coordination between QUIC and TLS. Something like trial decryption would require TLS hand QUIC both sets of handshake keys. Then QUIC would need to do the trial decryption and report back to TLS which set of keys won. (If you're working on an OpenSSL ECH implementation, you probably won't see this because OpenSSL doesn't have APIs for QUIC yet.) David
- [TLS] ECH/ESNI - is accept confirmation calculati… Stephen Farrell
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… David Benjamin
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christopher Patton
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christian Huitema
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Stephen Farrell
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christian Huitema
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… David Benjamin
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Stephen Farrell
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… David Benjamin
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christian Huitema
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Stephen Farrell
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christopher Patton
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Stephen Farrell
- Re: [TLS] ECH/ESNI - is accept confirmation calcu… Christian Huitema